The rationale for disabling the feature is that only RAX is using it and they enforce quotas separately?

I don't like assuming RAX is the only one using it. We have enough users now that it's impossible to predict what people may be doing. If we publish this issue, recommend disabling the extension and there are people who are using it ... then we've nicely screwed them.

How about we cook up the quotas patch and see how invasive it is? It might be backportable with manageable regression risk

I took a quick look at folsom, and one small wart I've found is that I'd like to make the quota per project and the fixips model object doesn't store project id. Do people think this quota should be per project or per instance? If its per instance isn't it still pretty easy to DoS people? You just have to start a bunch of instances as well.

So, this took a long time to test and get right, but this new version of the folsom patch has been tested with devstack and appears to work. It includes Mark's request for a rollback of quota allocations on exceptions, and required re-writing the database code to count fixed_ips. I believe this patch is good to go for Folsom, but would appreciate comments from nova-cores.

Yeah, I did think about that, but we don't care about rollback for floating ips, so I figure we similarly don't care for fixed ips. I've just found a PEP8 failure in this code, so I'll send yet another patch which fixes that in a minute.

Ok, here are patches for essex and folsom, both of which have been tested with devstack and pass PEP8. The Folsom one also passes unit tests, but I can't get the essex unit tests to run for me, so that one hasn't been done.

@ttx -- are you sure we don't need a patch for grizzly? That's how I am reading your "no longer affects nova/grizzly" above. Am I confused?

We need a patch for Grizzly, it's just that grizzly does not need a specific series task. it's tracked in the main bugtask. We only use series tasks when we need a stable/* backport. The main bugtask tracks "master" (master happening to be grizzly right now). So it's not "no longer affects Grizzly", it's "removing extraneous bugtask".

(reviewing the grizzly patch): All the quota tests seem to set fixed_ips quota just to the default of 10, which isn't a very good update test. That should be updated. Other than that this approach seems sane.

@ttx -- I pinged you with a draft of one the other day, but perhaps you didn't see it. How about something like this?

-----

SUBJECT: Vulnerability in OpenStack Nova

This is an advance warning of a vulnerability discovered in OpenStack,
to give you, as downstream stakeholders, a chance to coordinate the
release of fixes and reduce the vulnerability window. Please treat the
following information as confidential until the proposed public
disclosure date.

Description:
Vish Ishaya reported a vulnerability in Nova where there is no quota
for Fixed IPs. Previously the instance quota acted as a proxy for
a Fixed IP quota, but if your configuration allows an instance to
consume more than one Fixed IP via an extension such as multinic
then this is no longer true. Running out of Fixed IPs would result in
not being able to spawn new instances.

Proposed patches:
See attached patches. Unless a flaw is discovered in them, these
patches will be merged to Nova master (Grizzly), stable/folsom,
and stable/essex branches on the public disclosure date.

CVE:
No CVE has been assigned to this issue yet.

Proposed public disclosure date/time:
Tuesday, March 12, 1500UTC
Please do not make the issue public (or release public patches) before
this coordinated embargo date.

Regards,

-----

If we're running with that disclosure date we should probably send this out ASAP. Perhaps you could do it overnight?

Thanks ttx. At this point I think we should handle Sean's request for more unit tests for trunk in a separate patch. I'm happy to do that work, I just don't want to block this fix. Given I am trapped in a training course yet again today, can you please run with getting this disclosure email sent when we're ready?